I don't understand. If I can modify java.home, it means I can control
any properties the VM comes up with, right? Isn't java.home set on vm
start and immutable?
geir
Tim Ellison wrote:
> Alexey Varlamov wrote:
>> Boris, for the security-sensitive applications, there is appropriate
>> guard in place:
>>
>> public SecurityManager() {
>> SecurityManager security = System.getSecurityManager();
>> if (security != null) {
>>
>> security.checkPermission(RuntimePermission.permissionToCreateSecurityManager);
>>
>> }
>> Class<?> type = Security.class; // initialize Security properties
>> if (type == null) {
>> throw new AssertionError();
>> }
>> }
>>
>> I believe this is enough. In fact if the code has enough privileges to
>> modify such principal system properties, there might be even more
>> severe problems...
>
> I agree.
>
> Regards,
> Tim
>
|